Encryption, Tokenization Loom Large As PCI Council Mulls Changes

Will the 2010 iteration of the Payment Card Industry data-security standard represent a major break from the current version or just have some minor changes? That's the question before the card networks, merchants, merchant acquirers, and payment processors now that one meeting with PCI stakeholders is down and another is coming up in a two-year process to update the critical rules governing card security. “It's still too early to say,” Robert Russo, general manager of the PCI Security Standards Council, tells Digital Transactions News. The PCI Council held its annual North American Community Meeting in Las Vegas Sept. 22-24. A similar meeting is set for Oct. 27-28 in Prague, Czech Republic. The PCI Council, which administers but does not enforce the overarching PCI standard and related rules (enforcement is the job of the card networks), upgraded the first standard to version 1.2 last year. Observers regarded the 2008 changes, which included upgrades in wireless security, mostly as tweaks (Digital Transactions News, Oct. 1, 2008). But a lot has happened since then, including the disclosure by merchant acquirer Heartland Payment Systems Inc. of what apparently is the biggest breach of payment card data ever. Federal authorities have the man believed to be behind the Heartland and several other big data breaches in custody, though accomplices remain at large. Meanwhile, the card industry is abuzz with talk about new security technology, especially end-to-end encryption of payment data during the transaction process, a technology that the post-breach Heartland is pushing strongly. And, of course, the complaints from merchants about the costs and difficulties of complying with PCI continue unabated. All that has observers wondering how the upgrade expected to be released in about a year will be different from version 1.2. Russo indicates that technology will be a big driver of any changes. The PCI Council commissioned accounting and consulting firm PricewaterhouseCoopers LLP (PwC) to study security technologies and present findings at the Las Vegas meeting. PwC conducted open-ended interviews with more than 100 companies in 10 markets, asking executives about their ideas about effective security technology. Russo says it's too early to endorse any single technology, but he says end-to-end encryption and a related technology, tokenization, ranked high in the minds of PwC's respondents. Those systems, however, have their own variations and are among many other technologies that could figure in how the PCI standards change, according to Russo. “There are probably 20, 30, 50 technologies that didn't get mentioned,” he says. “We're trying to make sure people understand there are no silver bullets here.” Russo also notes that the European meeting will certainly include discussion of the so-called EMV chip, the security technology that is replacing the magnetic stripe in many countries, including Canada. The U.S. card industry, however, is resisting in large part because of the billions of dollars it would cost to upgrade card-accepting terminals. The full PwC report isn't even done yet, but it will become part of the input the Wakefield, Mass.-based PCI Council considers after the feedback period of the update process ends Oct. 31. The council also will review opinions from its 500-plus so-called “participating organizations” and other entities before releasing the next upgrade. Besides technology, the scope of what is or is not covered by the PCI rules could get some attention. While the standards say any computer system, data-transfer network, and hardware and software that touch card data must be PCI-compliant, the real-world process of determining exactly what's in or not in PCI's scope isn't so clean-cut for many companies. That's especially true if a merchant is outsourcing most or all of its card-processing operations. “Reduction in scope was a big, big thing” at the Las Vegas meeting, says Russo. Meanwhile, Russo says the PCI Council is making progress in its year-old effort to improve the work of Qualified Security Assessors (QSAs), the council-endorsed companies that inspect merchant and processor systems for PCI compliance. Some assessors, especially those working for small firms, are poorly trained and their reports contain omissions or inaccuracies, according to some observers. To address those concerns, the PCI Council started what it calls its Quality Assurance program for QSAs that includes closer monitoring by council staff. “Nobody was really looking over their shoulder,” Russo says. The council's online list of QSAs now denotes in red QSAs that are in “remediation.” The current list, which includes four such firms, can be downloaded from www.pcisecuritystandards.org/qsa_asv/find_one.shtml. In other payment card security news this week, Visa Inc. issued what it calls best practices for end-to-end encryption. The guidelines can be found at corporate.visa.com/media-center/press-releases/press941.jsp. And the new Secure POS Vendor Alliance has named Steven Hughes, formerly executive director of the Oracle Applications Users Group, as its first president. The leading point-of-sale terminal vendors?VeriFone Holdings Inc., Hypercom Corp., and Ingenico?founded SPVA last spring to promote better security in payment card processing hardware and software (Digital Transactions News, April 22).